Cloudmark Security Blog

Fake DocuSign Requests Spreading Malware

This week we have seen a spike in fake DocuSign requests which are being used for phishing or malware distribution. DocuSign is a service used many businesses to facilitate electronic signature of documents without the need to fax or mail physical copies. However, like any popular and convenient service, DocuSign emails are being faked by spammers intent on phishing credentials or worse. The current attack starts with an email.

The results of clicking on the link will vary depending on what sort of computer you are using. From a Mac you get to a generic email phishing page that looks like this.

DocuSign is mostly used by businesses, so this attack seems to be aimed at infiltrating enterprises rather than compromising individuals. What’s more the attacker is not trying to cash in with a quick ransomware installation, but to gain control of bank account or payroll credentials for a longer term but more profitable attack. Of course, if the credentials don’t turn up, the attacker can still install ransomware later.

As always, don’t click on links in emails that you are not expecting, even if the source appears to be a trusted one. It’s also a good idea for enterprises to keep any online banking or financial management on a computer that is not used to read email. Since no defense is completely impenetrable, good security depends on compartmentalization as much as fortification.

UPDATE May 17, 2017. DocuSign has now confirmed that the email addresses targeted by this attack were harvested in a breach of their system. They state that, “…a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements… only a list of email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed…”